< Home

Setting DDoS Attack Defense Parameters

This section describes how to set DoS attack defense parameters before enabling DDoS attack defense.

Procedure

  1. In the user view, access the system view. 

    system-view

  2. Access the interface view. 

    interface interface-type interface-number

  3. Enable the traffic statistics collection function. 

    anti-ddos flow-statistic enable

    The interface-based traffic statistics collection function is disabled by default. Enable this function before configuring DDoS attack defense.

  4. Return to system view. 

    quit

  5. Configure the traffic detection and cleaning mode. 

    ddos-mode { detect-clean | detect-only }

    The default defense mode is detect-clean.

  6. Configure the DDoS traffic sampling ratio. 

    anti-ddos statistic sampling-fraction sampling-fraction

    If sampling-fraction indicating the sampling coefficient is configured, the sampling ratio is 2sampling-fraction:1, which means one out of every 2sampling-fraction packets is sampled. For example, if sampling-fraction is set to 2, the sampling ratio is 4:1, which means one out of every four packets is sampled.

    sampling-fraction is an integer ranging from 0 to 15. The default value is 0.

  7. Configure delays for enabling and disabling attack defense. 

    anti-ddos defend-time start-delay start-delay end-delay end-delay

    start-delay is an integer ranging from 1 to 254, in seconds. The default value is 1.

    end-delay is an integer ranging from 1 to 3600, in seconds. The default value is 600.

  8. Configure the alarm threshold for traffic to enter the DDoS defence process. 

    anti-ddos destination-ip alert-rate alert-rate

    The default value is 0, indicating that all traffic enters the DDOs defence process.

    After this function is configured, the FW collects the statistics on the traffic that arrives at a destination IP address. If the traffic that arrives at the destination IP address exceeds the alarm threshold, the traffic enters the DDoS defense process.

    This function improves FW performance.

  9. Set the aging time of the source IP address monitoring table. 

    anti-ddos source-ip detect aging-time time

    time is an integer ranging from 1 to 60000, in seconds. The default value is 1800.

    If the FW determines that an IP address is real, the FW adds the address to the source IP address monitoring table, which is equivalent to a whitelist. All packets from the source IP address are considered legitimate and permitted by the FW without verification, unless the address in the monitoring table expires.

    Unlike the aging mechanism of an entry in the session table, the aging time of an entry in the source IP address monitoring table starts from the time the entry was created, and the remaining keepalive time is not updated when a packet matches the entry. When the configured aging time elapses, the entry expires.

  10. Optional: Configure interworking with the ATIC.
    1. Run the firewall ddos log-server-ip server-ip command to enable the interworking with the ATIC and specify an ATIC server address.
    2. Run the firewall ddos log-local-ip local-ip command to specify an IP address for the FW.

      The FW can function as a detection device to interwork with the ATIC management center. If the FW detects abnormal traffic, it sends logs to the ATIC management center.

      In a scenario where the FW is deployed in in-line mode, the traffic diversion policy is configured for the ATIC, and traffic diversion is implemented, if the FW stops reporting anomaly logs due to the failure in receiving traffic, traffic switchover occurs, and traffic cannot be cleaned.

Parent Topic: Configuring DDoS Attack Defense
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >